[rtempaccount1]

I don't believe that NordVPN make it clear that user's connections could be treated like that (e.g. as bandwidth for other customers)

Unless they make that clear, it's not a great look.

[c256]

Nobody claims that NordVPN customer connections are being used for this; the claim is that they are probably using Oxylab, which is probably using Oxylab customer’s connections, which they are probably using via malware of some unspecified type, so the Oxylab users probably don’t know how their connection is being used.

While some of those leaps of logic are plausible, it’s a lot of guessing.